Multiple OpenVPN Client Routing Policies through GUI

[Martineau]

I heard back from PrivateTunnel. They say that they only support one active VPN server per device. I may give HMA a go, but they seem pricey (especially compared to PrivateTunnel!). Do you know anything about PIA (privateinternetaccess)?

Any good and do they support mutiple VPNs from one device?

Sorry, although I have trialled several VPN providers (whilst still retaining my HMA subscription) I'm afraid PIA wasn't one of them.

NOTE: I have in the past received emails from HMA stating that I had exceeded my allowed limit of two concurrent devices.

i.e. I recall I had 4 or 5 VPN Clients connected concurrently on the router i.e. one device, and when I replied to clarify the terms, they implied I had apparently used 6 concurrent connections from 3 devices!!! although several only lasted for less than a minute. Apparently I must have triggered the violation when testing my script to flip between active VPN Client connections, and HMA state they ideally need up to 60 secs between a disconnect/reconnect, so maybe the WAN unfortunately acquired a new IP address hence the perceived 3 devices?

So I'd make sure in the T&Cs from your chosen VPN provider truly will agree that 5 concurrent VPN Client connections from a single router is acceptable etc.

 

[William Hudson]

Thanks, Martineau. I've been looking at PIA a bit more and it seems good. My current plan with PrivateTunnel allows up to 5 separate devices. People do seem to be connecting to two VPNs on PIA so I might give them a try. I'm not usually so money-minded, but I paid out for 2 years on PrivateTunnel (at a very good price!) so I am trying to minimize my unexpected extras For the time being, I could just use two separate VPN providers, but it also gives me a chance to pick a favourite!

 

[RacerRon]

PIA supports multiple tunnels on a single device. I currently have 2 PIA clients running on my ac-88 and am directing different devices over each tunnel.

Sent from my Pixel using Tapatalk

 

[William Hudson]

PIA supports multiple tunnels on a single device. I currently have 2 PIA clients running on my ac-88 and am directing different devices over each tunnel.

Sent from my Pixel using Tapatalk

Yes, after a couple of hours of messing with their config files and instructions elsewhere, I've got PIA working. Unfortunately, I've discovered that I can't watch Comedy Central with it (from the UK) which is what I wanted the two tunnels for<sign>.

 

[Martineau]

I've discovered that I can't watch Comedy Central with it (from the UK) which is what I wanted the two tunnels for<sign>.

Before subscribing to HMA I signed up with (and still have) a SmartDNS account which is way better for streaming performance than a VPN, and I've just tried Comedy Central and it appears to work!

 

[William Hudson]

Before subscribing to HMA I signed up with (and still have) a SmartDNS account which is way better for streaming performance than a VPN, and I've just tried Comedy Central and it appears to work!

Ah, many thanks! I'll look into that.

 

[Xentrk]

Just an update and a question. I've fixed my CIDR mask. I was using both 172.16.0.0 and 172.16.1.0, so I've adjusted my DHCP and use just 172.16.0.0/24 now.

I heard back from PrivateTunnel. They say that they only support one active VPN server per device. I may give HMA a go, but they seem pricey (especially compared to PrivateTunnel!). Do you know anything about PIA (privateinternetaccess)? Any good and do they support mutiple VPNs from one device?

Thanks in advance.

I use TorGuard and can have multiple tunnels up at the same time on the router. They just have a restriction of five active connections at one time.

 

[William Hudson]

Before subscribing to HMA I signed up with (and still have) a SmartDNS account which is way better for streaming performance than a VPN, and I've just tried Comedy Central and it appears to work!

SmartDNS looks a little complicated for what I want to do - which is to send some traffic direct through my ISP and the rest through a VPN. As I understand it, they want to link my IP address to the DNS requests. It isn't fixed in the first place, and because of the VPN/ISP factor, it will be different depending on the routing policies. I've written to ask them how/if this might work.

Anyway, if HMA works with Comedy Central, are there are some Merlin instructions for setting it up? I've have a scan around but only see some PPTP guidance.

 

[William Hudson]

I use TorGuard and can have multiple tunnels up at the same time on the router. They just have a restriction of five active connections at one time.

Thanks!

 

[Xentrk]

Thanks!

You're welcome. BTW, I am watching this thread with interest as I have a similar use case.

 

[Xentrk]

SmartDNS looks a little complicated for what I want to do - which is to send some traffic direct through my ISP and the rest through a VPN. As I understand it, they want to link my IP address to the DNS requests. It isn't fixed in the first place, and because of the VPN/ISP factor, it will be different depending on the routing policies. I've written to ask them how/if this might work.

I had the same issue when I looked into this last year. I have a dynamic IP address assigned by the ISP. Having to logon to the SmartDNS website each time to see if it changed was not going to work with other members in my household. If they ever use dnsomatic service, I may take another look at it. But I have super high speed fiber and even though my OpenVPN speeds are not great, I can stream 4K and live sporting events with no buffering.

 

[Martineau]

SmartDNS looks a little complicated for what I want to do - which is to send some traffic direct through my ISP and the rest through a VPN. As I understand it, they want to link my IP address to the DNS requests. It isn't fixed in the first place, and because of the VPN/ISP factor, it will be different depending on the routing policies. I've written to ask them how/if this might work..

The SmartDNS isn't complicated.

All you need to do is add the site(s) to /jffs/configs/dnsmasq.conf.add and restart dnsmasq.

e.g. the family liked to watch 'The Big Bang theory' just 7 days after the new episodes aired in the US (we don't have a CBS access subscription though)

server=/cbs.com/64.145.73.5

So in order to authenticate with the SmartDNS provider, I have a curl script that runs from wan-start to simply register the router's current ISP WAN address via their web page, and that is it...not complicated at all!

Anyway, if HMA works with Comedy Central, are there are some Merlin instructions for setting it up? I've have a scan around but only see some PPTP guidance.

Just adding the cc.com I/P address in the Policy Rules worked for HMA.

 

[William Hudson]

A summary of what I've found so far regarding multiple simultaneous VPN connections from the same router:

So far, I know these DON'T support it:
Private Tunnel
NordVPN (unless you're prepared to run one connection UDP and the other TCP - so max 2 connections)

This one I've tried and it's supported (but I can't watch Comedy Central which is part of the goal):
Private Internet Access

These I am told do support it (but I've not tried these myself):
HideMyAss
TorGuard

The key is apparently whether the VPN provider uses different subnets within their tunnels at different locations. If they use the same subnets everywhere, you can only connect one. The symptoms of this failure make it look like the router is confused - everything gets sent to one VPN location (probably the first defined) and if you look at the routing tables (see earlier in this thread), the internal routing IP is the same for each VPN location. The TCP/UDP trick might get you up to 2 locations, but it depends whether the VPN provider uses different subnets for each protocol. I don't suppose they have to (correct me if I'm wrong!).

Please feel free to reply to this post with any information you might have about other VPNs. I'd be particularly interested to know about ExpressVPN, for instance, since they're listed as allowing Comedy Central access.

 

[William Hudson]

The SmartDNS isn't complicated.

All you need to do is add the site(s) to /jffs/configs/dnsmasq.conf.add and restart dnsmasq.

e.g. the family liked to watch 'The Big Bang theory' just 7 days after the new episodes aired in the US (we don't have a CBS access subscription though)

server=/cbs.com/64.145.73.5

So in order to authenticate with the SmartDNS provider, I have a curl script that runs from wan-start to simply register the router's current ISP WAN address via their web page, and that is it...not complicated at all!



Just adding the cc.com I/P address in the Policy Rules worked for HMA.

Not having much luck with HMA. I can connect to their London-Virtual-USA server and get an address that is reported to be in the US, but still can't watch CC. If I try to connect to one of the NY locations (Liberty Island or Manhattan) I get addresses reported to be in the Czech Republic! I've got a ticket open with them, so will report back.

Could you share your curl script for SmartDNS? I might give that a go while I'm waiting. TIA.

 

[Martineau]

Not having much luck with HMA. I can connect to their London-Virtual-USA server and get an address that is reported to be in the US, but still can't watch CC. If I try to connect to one of the NY locations (Liberty Island or Manhattan) I get addresses reported to be in the Czech Republic! I've got a ticket open with them, so will report back.

Could you share your curl script for SmartDNS? I might give that a go while I'm waiting. TIA.

As in my previous post, there is no curl/script/RPDB rule when using a SmartDNS, it's the dnsmasq.conf entry that makes the 'speedy' SmartDNS work!

For HMA to work, it only needs the appropriate RPDB rule:

ip rule

0: from all lookup local
7001: from 10.88.101.0/24 lookup NewYork
9990: from all fwmark 0x7000 lookup main
9991: from all fwmark 0x1000 lookup NewYork
10001: from all to 52.31.49.122 lookup main
10002: from all to 52.210.48.64 lookup main
10003: from 172.0.0.1 lookup main
10101: from all to 216.87.148.114 lookup NewYork
10701: from all to 10.99.8.0/24 lookup Glenside
32766: from all lookup main
32767: from all lookup default

Currently using HMA node in New York rather than one of their UK Virtual USA Servers:

OpenVPN Client 1 - Connected (208.167.255.131 tcp-client:443)

Statistics TUN/TAP read bytes 56,941 TUN/TAP write bytes 473,001
TCP/UDP read bytes 1,029,671 TCP/UDP write bytes 542,143
Auth read bytes 542,469

 

[William Hudson]

As in my previous post, there is no curl/script/RPDB rule when using a SmartDNS, it's the dnsmasq.conf entry that makes the 'speedy' SmartDNS work!

For HMA to work, it only needs the appropriate RPDB rule:

ip rule

0: from all lookup local
7001: from 10.88.101.0/24 lookup NewYork
9990: from all fwmark 0x7000 lookup main
9991: from all fwmark 0x1000 lookup NewYork
10001: from all to 52.31.49.122 lookup main
10002: from all to 52.210.48.64 lookup main
10003: from 172.0.0.1 lookup main
10101: from all to 216.87.148.114 lookup NewYork
10701: from all to 10.99.8.0/24 lookup Glenside
32766: from all lookup main
32767: from all lookup default

Currently using HMA node:

OpenVPN Client 1 - Connected (208.167.255.131 tcp-client:443)

Statistics TUN/TAP read bytes 56,941 TUN/TAP write bytes 473,001
TCP/UDP read bytes 1,029,671 TCP/UDP write bytes 542,143
Auth read bytes 542,469

I thought I needed a curl script to authenticate? I'll still be using a VPN so otherwise, SmartDNS would be confused. What you mentioned earlier was "So in order to authenticate with the SmartDNS provider, I have a curl script that runs from wan-start to simply register the router's current ISP WAN address via their web page, and that is it...not complicated at all!".

For HMA I do have a routing rule and for the London-Virtual-USA node I am getting USA addresses, but still can't watch CC. Like I said, if I change to one of the "native" US nodes I get addresses in the Czech Republic (same routing rule in all cases).

Here's the rule table on my router. How did you get the locations in yours?

admin@RT-AC88U-D350:/tmp/home/root# ip rule
0: from all lookup local
10101: from 172.16.0.0/24 to 216.87.148.114 lookup ovpnc1
10102: from 172.16.0.0/24 to 188.113.88.193 lookup ovpnc1
10201: from 172.16.0.0/24 to 212.58.224.0/19 lookup main
10202: from 172.16.0.0/24 to 52.48.32.52 lookup main
10203: from 172.16.0.0/24 to 185.28.202.30 lookup main
10204: from 172.16.0.0/24 to 52.50.200.133 lookup main
10205: from 172.16.0.0/24 to 161.73.246.13 lookup main
10206: from 172.16.0.0/24 to 137.108.198.32 lookup main
10207: from 172.16.0.0/24 to 52.205.176.223 lookup main
10301: from 172.16.0.0/24 lookup ovpnc2
32766: from all lookup main
32767: from all lookup default

Anyway, ovpnc1 is connected to HMA's Manhattan node 77.234.44.225 but from it I am getting IP addresses in the Czech Republic (Prague this morning). The 216 address above is CC and the 188 address is ifconfig.co. Here's what if config reports:

What is my IP address?
77.234.46.135

Country lookup:
$ http ifconfig.co/country
Czechia
City lookup:
$ http ifconfig.co/city
Prague

 

[William Hudson]

I thought I needed a curl script to authenticate? I'll still be using a VPN so otherwise, SmartDNS would be confused. What you mentioned earlier was "So in order to authenticate with the SmartDNS provider, I have a curl script that runs from wan-start to simply register the router's current ISP WAN address via their web page, and that is it...not complicated at all!".

For HMA I do have a routing rule and for the London-Virtual-USA node I am getting USA addresses, but still can't watch CC. Like I said, if I change to one of the "native" US nodes I get addresses in the Czech Republic (same routing rule in all cases).

Here's the rule table on my router. How did you get the locations in yours?

admin@RT-AC88U-D350:/tmp/home/root# ip rule
0: from all lookup local
10101: from 172.16.0.0/24 to 216.87.148.114 lookup ovpnc1
10102: from 172.16.0.0/24 to 188.113.88.193 lookup ovpnc1
10201: from 172.16.0.0/24 to 212.58.224.0/19 lookup main
10202: from 172.16.0.0/24 to 52.48.32.52 lookup main
10203: from 172.16.0.0/24 to 185.28.202.30 lookup main
10204: from 172.16.0.0/24 to 52.50.200.133 lookup main
10205: from 172.16.0.0/24 to 161.73.246.13 lookup main
10206: from 172.16.0.0/24 to 137.108.198.32 lookup main
10207: from 172.16.0.0/24 to 52.205.176.223 lookup main
10301: from 172.16.0.0/24 lookup ovpnc2
32766: from all lookup main
32767: from all lookup default

Anyway, ovpnc1 is connected to HMA's Manhattan node 77.234.44.225 but from it I am getting IP addresses in the Czech Republic (Prague this morning). The 216 address above is CC and the 188 address is ifconfig.co. Here's what if config reports:

What is my IP address?
77.234.46.135

Country lookup:
$ http ifconfig.co/country
Czechia
City lookup:
$ http ifconfig.co/city
Prague

Actually, I've just tried a different IP location service and it says the address is in NYC. So I'll stop using ifconfig.co! Still can't watch CC, though Could you post your SmartDNS curl authentication script?

 

[Martineau]

Actually, I've just tried a different IP location service and it says the address is in NYC. So I'll stop using ifconfig.co! Still can't watch CC, though Could you post your SmartDNS curl authentication script?

Yeah I prefer https://ipleak.net for comprehensive (if using Chrome) geo-location checking etc.

Doh! - of course I use a curl script (clearly not enough coffee yet) called from wan-start and just before init-start terminates (it sleeps for 180secs) it sends a ('sanitised' i.e. no usernames/passwords etc.) email collating various log files etc. including the SmartDNS authentication status/log.

/jffs/scripts/Unblock-US.sh

#!/bin/sh

MYROUTER=$(nvram get computer_name)

USEPATH="/tmp/mnt/$MYROUTER"

USERNAME="meeeeeeeeeeeeee"
PASS="secret"

logger -st "($(basename $0))" $$ $USEPATH is used for Unblock-US Log files......

# Delete the files so we can see a creation timestamp to prove we ran!
echo `date` "FAILED to refresh Unblock-US"  > $USEPATH/Unblock-us.log

# Remove 'active' from the status file so this should be an indicator in the email to perform a manual authentication
echo "Unknown - manual authentication required - http://www.unblock-us.com/" >$USEPATH/Unblock-us-status

curl -o $USEPATH/Unblock-us-status -v https://api.unblock-us.com/login?${USERNAME}:${PASS} 2>$USEPATH/Unblock-us.log

logger -st "($(basename $0))" $$ Unblock-US authentication complete

exit 0

 

[William Hudson]

Yeah I prefer https://ipleak.net for comprehensive (if using Chrome) geo-location checking etc.

Doh! - of course I use a curl script (clearly not enough coffee yet) called from wan-start and just before init-start terminates (it sleeps for 180secs) it sends a ('sanitised' i.e. no usernames/passwords etc.) email collating various log files etc. including the SmartDNS authentication status/log.

/jffs/scripts/Unblock-US.sh

#!/bin/sh

MYROUTER=$(nvram get computer_name)

USEPATH="/tmp/mnt/$MYROUTER"

USERNAME="meeeeeeeeeeeeee"
PASS="secret"

logger -st "($(basename $0))" $$ $USEPATH is used for Unblock-US Log files......

# Delete the files so we can see a creation timestamp to prove we ran!
echo `date` "FAILED to refresh Unblock-US"  > $USEPATH/Unblock-us.log

# Remove 'active' from the status file so this should be an indicator in the email to perform a manual authentication
echo "Unknown - manual authentication required - http://www.unblock-us.com/" >$USEPATH/Unblock-us-status

curl -o $USEPATH/Unblock-us-status -v https://api.unblock-us.com/login?${USERNAME}:${PASS} 2>$USEPATH/Unblock-us.log

logger -st "($(basename $0))" $$ Unblock-US authentication complete

exit 0

So far I've got SmartDNSProxy working by listing it's local DNS server and web ip addresses in my WAN rules. It actually works! I'll use your script (adapted for a different service, I guess) if I come unstuck. Thanks for all your help.

 

[Martineau]

I've got SmartDNSProxy working by listing it's local DNS server and web ip addresses in my WAN rules.

Ahh good to know......clearly my dsnmasq.conf.add SmartDNS config tweaks have been in place well before April 2015 when the firmware finally supported Selective Routing via the GUI!